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AMENDMENTS TO THE CLAIMS 

Listing of Claims 

The following listing of claims rqjlaces all previous versions. 

1 . (Currently Amended) A computer system providing Internet protocol security without 
secure domain name resolution, the system comprising: 

a local domain name service (DNS) server that is communicatively coupled to a 

processor and that includes a secure Internet security protocol (IPSEC) cache, 
wherein the secure IPSEC cache is readable only by an Internet protocol (IP) 
processing layer of an operating system that controls execution of an 
appUcation program by the processo r, and wherein each cache entrv 
comprises information that uniquely associates the cache entry with a 
particular application process or execution time: 

a security poUcy data store that is communicatively coupled to the IP processing 
layer; 

a computer-readable medium accessible to the processor and comprising one or more 
sequences of instructions which, when executed by the processor, cause the 
processor to carry out the steps of: 

receiving a message generated as a result of execution of the application 

program and that contains a domain name; 
receiving a data packet from the application: 

in response to receiving the data packet from the application, searching the 
secure IPSEC cache for an entry that matches the domain name, 
wherein the searching comprises verifying using the information that 
uniquely associates the cache entrv with a particular application 
process or execution time to verify that the domain name in the entry 
matches the domain name contained in the message; 

querying the security policy data store for an BPSEC policy matching the 

domain name, wherein the DP processing layers verifies that ttie poUcy 
matches the domain name contained in the message; 



50325-0594 (Seq.No. 4788) 



2 



Application of Jonathan Trostle, Ser. No. 10/023,622, Filed December 17, 2001 

Reply to Final Office Action 



in response to obtaining an IPSEC policy, applying the BPSEC policy to the 

data packet messag e: and 
purging the matching entry from the cache. 

2. (Currently Amended) A computer system as recited in Claim 1, wherein the secure 
IPSEC cache comprises a plurality of cache entries, wherein each cache entry 
comprises a DNS name, one or more corresponding IP addresses , and information 
that uniqu e ly associat e s th e cach e e ntry with a particular application process or 
e x e cution tim e. 

3. (Original) A computer system as recited in Claim 2, wherein the step of searching the 
secure IPSEC cache further comprises the step of searching the secure IPSEC cache 
for an entry that matches a process identifier of the application program, based on the 
information that uniquely associates the cache entry with a particular application 
process or execution time. 

4. (Original) A computer system as recited in Claim 2, wherein the information that 
uniquely associates the cache entry with a particular application process or execution 
time comprises a process identifier value and a transaction identifier value. 

5. (Original) A computer system as recited in Claim 4, wherein the step of searching the 
secure IPSEC cache fiirther comprises the step of searching the secure IPSEC cache 
for an entry that matches a process and transaction associated with the application 
program, based on the process identifier value and transaction identifier value in the 
cache. 

6. (Original) A computer system as recited in Claim 1, further comprising the step of 
querying the security policy database for an IPSEC policy based on an IP address that 
is resolved from the domain name received from the application program only when a 
matching cache entry is not found by searching the cache based on the domain name. 
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7. (Original) A computer system as recited in Claim 1, further comprising the steps of: 
receiving a request to resolve a DNS name into network addresses; 

resolving the DNS name using the local DNS server, resulting in generating one or 
more network addresses corresponding to the DNS name; 

determining identifier information that uniquely associates the request with a 
particular application process or execution time; and 

storing the DNS name, the network addresses, and the identifier information as an 
entry in the secure IPSEC cache. 

8. (Currently Amended) A method for providing Internet protocol security without 
secure domain name resolution, the method comprising the computer-implemented 
steps of: 

receiving a message generated as a result of execution of an application program and 

that contains a domain name; 
receiving a data packet from the application: 

in response to receiving the data packet fi-om the application, searching a secure 

Intemet security protocol (IPSEC) cache for an entry that matches the domain 
name, wh e r e in th e s e arching compris e s v e rifying th e that domain name in th e 
e ntry match e s th e domain nam e contained in th e messag e , wherein the secure 
IPSEC cache is communicatively coupled to a local domain name service 
(DNS) server, and wherein the secure IPSEC cache is readable only by an 
Intemet protocol (IP) processing layer of an operating system that controls 
execution of the application program , and wherein each cache entry comprises 
information that uniquely associates the cache entry with a particular 
application process or execution time ; and fiirther wherein the searching 
comprises using the information that uniquely associates the cache entry with 
a particular application process or execution time to verify that the domain 
name in the entry matches the domain name contained in the message: 
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in response to obtaining an PSEC policy, querying a security policy data store that is 
communicatively coupled to the IP processing layer for an IPSEC policy 
matching the domain name, wherein the IP processing layers verifies that the 
policy matches the domain name contained in the message; 

applying the IPSEC policy to the data packet m e ssag e; and 

purging the matching entry from the cache. 

9. (Currently Amended) A method as recited in Claim 8, wherein the secure IPSEC 
cache comprises a plurahty of cache entries, wherein each cache entry comprises a 
DNS name, one or more corresponding IP addresses , and information that imiqu e ly 
associates th e cach e e ntry with a particular appUcation proc e ss or e x e cution tim e. 

1 0. (Original) A method as recited in Claim 9, wherein the step of searching the secure 
IPSEC cache further comprises the step of searching the secure IPSEC cache for an 
entry that matches a process identifier of the application program, based on the 
information that uniquely associates the cache entry with a particular apphcation 
process or execution time. 

1 1 . (Original) A method as recited in Claim 9, wherein the information that uniquely 
associates the cache entry with a particular appUcation process or execution time 
comprises a process identifier value and a transaction identifier value. 

1 2. (Original) A method as recited in Claim 1 1 , wherein the step of searching the secure 
IPSEC cache further comprises the step of searching the secure IPSEC cache for an 
entry that matches a process and transaction associated with the application program, 
based on the process identifier value and transaction identifier value in the cache. 

13. (Original) A method as recited in Claim 8, further comprising the step of querying the 
security policy database for an IPSEC policy based on an IP address that is resolved 
from the domain name received from the application program only when a matching 
cache entry is not found by searching the cache based on the domain name. 
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14. (Original) A method as recited in Claim 8, further comprising the steps of: 
receiving a request to resolve a DNS name into network addresses; 

resolving the DNS name using the local DNS server, resulting in generating one or 
more network addresses corresponding to the DNS name; 

determining identifier information that uniquely associates the request with a 
particular application process or execution time; and 

storing the DNS name, the network addresses, and the identifier information as an 
entry in the secure IPSEC cache. 

15. (Previously Presented) A computer-readable medium carrying one or more sequences 
of instructions for providing Internet protocol security without secure domain name 
resolution, which instructions, when executed by one or more processors, cause the 
one or more processors to carry out the steps of: 

receiving a message generated as a result of execution of an application program and 

that contains a domain name; 
receiving a data packet fi-om the application; 

in response to receiving the data packet from the application, searching a secure 

Internet security protocol (IPSEC) cache for an entry that matches the domain 
name, wherein th e s e arching compris e s verifying th e that domain name in th e 
e ntry match e s th e domain nam e contain e d in th e m e ssag e , wherein the secure 
IPSEC cache is communicatively coupled to a local domain name service 
(DNS) server, and wherein the secure IPSEC cache is readable only by an 
Internet protocol (EP) processing layer of an operating system that controls 
execution of the application program , and wherein each cache entry comprises 
information that uniquely associates the cache entry with a particular 
application process or execution time : and further wherein the searching 
comprises using the information that uniquely associates the cache entry with 
a particular application process or execution time to verify that the domain 
name in the entry matches the domain name contained in the message : 
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in response to obtaining an IPSEC policy, querying a security policy data store that is 
communicatively coupled to the DP processing layer for an IPSEC policy 
matching the domain name, wherein the DP processing layers verifies that the 
policy matches the domain name contained in the message; 

applying the IPSEC policy to the data packet m e ssag e; and 

purging the matching entry from the cache. 

16-21. (Canceled) 

22. (Currently Amended) An apparatus for providing Internet protocol security without 
secure domain name resolution, comprising: 

means for receiving a message generated as a result of execution of an application 

program and that contains a domain name; 
means for receiving a data packet from the application: 

means for searching a secure Internet security protocol (IPSEC) cache for an entry 

that matches the domain name, wh e r e in th e s e arching compris e s verifying th e 
that domain nam e in th e entry match e s the domain nam e contain e d in th e 
m e ssag e , wherein the secure IPSEC cache is communicatively coupled to a 
local domain name service (DNS) server, and wherein the secure IPSEC cache 
is readable only by an Internet protocol (IP) processing layer of an operating 
system that controls execution of the application progra m, and wherein each 
cache entrv comprises information that uniquelv associates the cache entrv 
with a particular application process or execution time ; and wherein the means 
for searching comprises means for using the information that uniquelv 
associates the cache entrv with a particular application process or execution 
time to verifv that the domain name in the entrv matches the domain name 
contained in the message : 

means for querying a security pohcy data store that is communicatively coupled to 
the IP processing layer for an IPSEC poUcy matching the domain name, 
wherein the IP processing layers verifies that the policy matches the domain 
name contained in the message; 

means for applying the IPSEC policy to the data packet m e ssag e; and 
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means for purging the matching entry from the cache. 

23. (Currently Amended) An apparatus for providing Internet protocol security, without 
secure domain name resolution, for messages that are carried by a packet-switched 
data network, comprising: 

a network interface that is coupled to the data network for receiving one or more 

packet flows therefrom; 
a processor; 

one or more stored sequences of instructions which, when executed by the processor, 

cause the processor to carry out the steps of: 
receiving a message generated as a result of execution of an application program and 

that contains a domain name; 
receiving a data packet from the application; 

in response to receiving the data packet from the application, searching a secure 

Intemet security protocol (IPSEC) cache for an entry that matches the domain 
name, wh e rein th e s e arching compris e s verifying th e that domain nam e in th e 
e ntry match e s th e domain nam e contain e d in th e messag e , wherein the secure 
IPSEC cache is communicatively coupled to a local domain name service 
(DNS) server, and wherein the secure IPSEC cache is readable only by an 
Intemet protocol (IP) processing layer of an operating system that controls 
execution of the application program , and wherein each cache entry comprises 
information that uniquelv associates the cache entry with a particular 
a pplication process or execution time : and ftirther wherein the searching 
comprises using the information that uniquelv associates the cache entry with 
a particular appUcation process or execution time to verify that the domain 
name in the entry matches the domain name contained in the message; 

in response to obtaining an IPSEC pohcv, querying a security policy data store that is 
communicatively coupled to the IP processing layer for an IPSEC policy 
matching the domain name, wherein the IP processing layers verifies that the 
policy matches the domain name contained in the message; 

applying the IPSEC policy to the data packet message ; and 
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purging the matching entry from the cache. 

24. (New) An apparatus as recited in Claim 22, wherein the secure IPSEC cache 
comprises a plurality of cache entries, wherein each cache entry comprises a DNS 
name, one or more corresponding IP addresses. 

25. (New) A apparatus as recited in Claim 24, wherein the means for searching the secure 
IPSEC cache further comprises means for searching the secure IPSEC cache for an 
entry that matches a process identifier of the application program, based on the 
information that uniquely associates the cache entry with a particular application 
process or execution time. 

26. (New) A apparatus as recited in Claim 25, wherein the information that xmiquely 
associates the cache entry with a particular application process or execution time 
comprises a process identifier value and a transaction identifier value. 

27. (New) A apparatus as recited in Claim 26, wherein the means for searching the secure 
IPSEC cache further comprises means for searching the secure IPSEC cache for an 
entry that matches a process and transaction associated with the application program, 
based on the process identifier value and transaction identifier value in the cache. 

28. (New) A apparatus as recited in Claim 22, further comprising means for querying the 
security policy database for an IPSEC policy based on an IP address that is resolved 
from the domain name received from the application program only when a matching 
cache entry is not found by searching the cache based on the domain name. 

29. (New) An apparatus as recited in Claim 22, fiirther comprising: 

means for receiving a request to resolve a DNS name into network addresses; 
means for resolving the DNS name using the local DNS server, resulting in 

generating one or more network addresses corresponding to the DNS name; 
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means for determining identifier information that imiquely associates the request with 

a particular appUcation process or execution time; and 
means for storing the DNS name, the network addresses, and the identifier 

information as an entry in the secure IPSEC cache. 
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